help understanding alarm for generic SQL injection in HTTP

Unanswered Question
Jan 16th, 2008
User Badges:
  • Blue, 1500 points or more

I don't quite get the regex in 5474-1 shown below. The '+' I think I get; if the data is a GET or a POST with enctype=application/x-www-form-urlencoded then spaces are encoded as +. But the regex also appears to be looking for a literal '%' and then '20'. Why for? If the request is "multipart/form-data" it will have a space character in the data (which has a hex value of \x20 but that's not what the regex is looking for).








  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Wed, 01/16/2008 - 15:25
User Badges:
  • Blue, 1500 points or more

hmmm...upon further thought, this would be required for detecting SQL injection via GET method. So, I guess my question now is, what about via POST with enctype="multipart/form-data"?


This Discussion